Security Operations Fundamentals > [T4]: Perform Windows Security Assessments with CIS-CAT Lite

CIS Benchmark

We explored benchmarks and presented CIS Benchmarks. Let's have a quick look at "CIS-CAT Lite," a tool to perform security assessments on your Windows system and generate a findings report.

According to CIS:

"CIS-CAT Lite is a free assessment tool developed by the CIS (Center for Internet Security, Inc.). CIS-CAT Lite helps users implement secure configurations for multiple technologies. With unlimited scans available via CIS-CAT Lite, your organization can download and start implementing CIS Benchmarks in minutes."

First, go to this link, fill out the form, and you should receive an email with the download link in your inbox. You may use any Windows 10 machine for this exercise.

Figure - zoom in

 

Download and extract the project files:

Figure - zoom in

 

Open the assessment tool:

Figure - zoom in

 

Select the Basic mode.

Figure - zoom in


Select a benchmark and a profile. As you can see, there is a single benchmark for Windows 10 with multiple profiles. Most CIS Benchmarks include multiple configuration profiles. Each profile represents a different level of security. We can see the selected profile belongs to implementation group 1. 

Implementation Groups (IGs) are the recommended guidance to prioritize the implementation of the CIS Critical Security Controls (CIS Controls). CIS Controls defines Implementation Group 1 (IG1) as essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.

In most cases, an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise to protect IT assets and personnel. A common concern of these enterprises is to keep the business operational, as they have limited tolerance for downtime. The sensitivity of the data they are trying to protect is low and principally surrounds employee and financial information. Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general non-targeted attacks.

Figure - zoom in



The tool may ask for your input about specific configurations, so you'll need to answer a few interactive questions before you get started. Remember what we keep mentioning throughout the course that no one fits all? Each organization has different requirements and business needs.

Figure - zoom in

 

Now Click on "Next"

Figure - zoom in

 

Let's start the assessment!

Figure - zoom in

 

The tool will assess the host Windows 10 machine against the selected benchmark and show the progress of the assessment process.

Figure - zoom in

 

At the end of the exercise, the tool will generate a report with all findings that you can select and view by clicking the "View HTML."

Figure - zoom in

 

Figure - zoom in

 

The generated report includes a summary along with a detailed list of passed and failed checks. Passed checks are the security recommendations and controls implemented on the scanned machine, while the failed ones represent incompliant areas.

For example, as per the below report, the scanned machine has the default password set; hence it failed that check.

Figure - zoom in

 

To see the report's content in detail, please look at this sample report. One thing worth noting is that CIS has a pro/paid version of the tool you run via Command Line Interface CLI, and it will automatically fetch existing configurations without needing to manually go through the yes/no questions in the Lite version. 

← Prev Dashboard Next →